A. Network Architecture
An Internet communications network 100 is depicted in FIG. 1 including five transmit or backbone networks A,B,C,D, and E and three stub networks R, Y, and Z. A "backbone" network is an intermediary network which conveys communicated data from one network to another network. A "stub" network is a terminal or endpoint network from which communicated data may only initially originate or ultimately be received. Each network, such as the stub network R, includes one or more interconnected subnetworks I, J, L, and M. As used herein, the term "subnetwork" refers to a collection of one or more nodes, e.g., (c,w), (d), (a), (b,x,y), (q,v), (r,z), (s,u), (e,f,g),(h,i),(j,k,l),(m,n), and (o,p), interconnected by wires and switches for local internodal communication. Each subnetwork may be a local area network (or "LAN"). Each subnetwork has one or more interconnected nodes which may be host computers ("hosts") u,v,w,x,y,z (indicated by triangles) or routers a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s (indicated by squares). A host is an endpoint node from which communicated data may initially originate or ultimately be received. A router is a node which serves solely as an intermediary node between two other nodes; the router receives communicated data from one node and retransmits the data to another node. Collectively, backbone networks, stub networks, subnetworks, and nodes are referred to herein as "Internet systems".
FIG. 2 shows a block diagram of a host or router node 10. As shown, the node may include a CPU 11, a memory 12 and one or more I/O ports (or network interfaces) 13-1, 13-2, . . . , 13-N connected to a bus 14. Illustratively, each I/0 port 13-1, 13-2, . . . , 13-N is connected by wires, optical fibers, and/or switches to the I/O port of another node. The I/O ports 13-1, 13-2, . . . , 13-N are for transmitting communicated data in the form of a bitstream organized into one or more packets to another node and for receiving a packet from another node. If the host 10 is a host computer attached to a subnetwork which is an Ethernet, then the host will have an I/O port which is an Ethernet interface.
A host which initially generates a packet for transmission to another node is called the source node and a host which ultimately receives the packet is called a destination node. Communication is achieved by transferring packets via a sequence of nodes including the source node, zero or more intermediary nodes, and the destination node, in a bucket brigade fashion. For example a packet may be communicated from the node w to the node c, to the node d, to the node b, and to the node x.
An exemplary packet 40 is shown in FIG. 3A having a payload 41 which contains communicated data (i.e., user data) and a header 42 which contains control and/or address information. Typically, the header information is arranged in layers including an IP layer and a physical layer.
The IP layer typically includes an IP source address, an IP destination address, a checksum, and a hop count which indicates a number of hops in a multihop network. A physical layer header includes a MAC (Media Access Control)address (hardware address) of the source and a MAC address of the destination.
The user data may include a TCP (Transfer Control Protocol) packet including TCP headers or a UDP (User Data Protocol) packet including UDP headers. These protocols control among other things, the packetizing of information to be transmitted, the reassembly of received packets into the originally transmitted information, and the scheduling of transmission and reception of packets (see e.g., D. Commer, "Internetworking With TCP/IP", Vol. 1 (1991); D. Commer and D. Stevens, "Internetworking With TCP/IP", Vol. 2 (1991)).
As seen in FIG. 3B, in an exemplary Internet protocol (IP), each node of the Internet 100 is assigned an Internet address (IP address) which is unique over the entire Internet 100 such as the Internet address 30 for the node y shown in FIG. 3B. See, Information Sciences Institute, RFC 791 "Internet Protocol", September, 1981. The IP addresses are assigned in an hierarchical fashion; the Internet (IP) address 30 of each node contains an address portion 31 indicating the network of the node, an address portion 32 indicating a particular subnetwork of the node, and a host portion 33 which identifies a particular host or router and discriminates between the individual nodes within a particular subnetwork.
In an Internet system 100 which uses the IP protocol, the IP addresses of the source and destination nodes are placed in the packet header 42 (see FIG. 3A) by the source node. A node which receives a packet can identify the source and destination nodes by examining these addresses.
In an Internet system, it is the IP address of a destination that is known, and the physical address (i.e., MAC address) to be placed in the MAC frame header is to be determined. If the destination host is on the same local area subnetwork (and this is easily determined by observing that the network part in both the source and destination IP addresses is the same), then the destination address that is to go into the MAC header destination address field is simply the physical address of the destination host. The MAC destination address may be found by means of the ARP (Address Resolution Protocol) which comprises having the source lost broadcast an ARP request packet with the IP address of the destination host and having the destination host respond with its hardware (MAC) address. This MAC address may be placed in the MAC frame (physical layer) headers.
B. Encryption Techniques
Eavesdropping in a network, such as the Internet system 100 of FIG. 1, can be thwarted through the use of a message encryption technique. A message encryption technique employs an encipherment function which utilizes a number referred to as a session key to encipher data (i.e., message content). Only the pair of hosts in communication with each other have knowledge of the session key, so that only the proper hosts, as paired on a particular conversation, can encrypt and decrypt digital signals. Three examples of encipherment functions are (1) the National Bureau of Standards Data Encryption Standard (DES) (see e.g., National Bureau of Standards, "Data Encryption Standard", FIPS-PUB-45, 1977), (2) Fast Encipherment Algorithm (FEAL) (see e.g., Shimizu and S. Miyaguchi, "FEAL-Fast Data Encipherment Algorithm," Systems and Computers in Japan, Vol. 19, No. 7, 1988 and S. Miyaguchi, "The FEAL Cipher Family", Proceedings of CRYPTO '90, Santa Barbara, Calif., August, 1990); and (3) International Data Encryption Algorithm ("IDEA") (see e.g., X. Lai, "On the Design and Security of Block Ciphers," ETH Series in Information Processing, v.1, Konstanz: Hartung-Gorre Verlag 1992). One way to use an encipherment function is the electronic codebook technique. In this technique a plain text message m is encrypted to produce the cipher text message c using the encipherment function f by the formula c=f(m,sk) where sk is a session key. The message c can only be decrypted with the knowledge of the session key sk to obtain the plain text message m=f(c,sk).
Session key agreement between two communicating hosts may be achieved using public key cryptography. (See e.g., U.S. Pat. Nos. 5,222,140 and 5,299,263).
Before discussing public key cryptographic techniques, it is useful to provide some background information. Most practical modern cryptography is based on two notorious mathematical problems believed (but not proven) to be hard (i.e., not solvable in polynomial time, on the average). The two problems are known as Factorization and Discrete-Log. The Factorization problem is defined as follows:
Input: N, where N=pq where p and q are large prime numbers PA1 Output: p and/or q. PA1 Input: P,g,y, where y.tbd.g.sup.x mod P, and P is a large prime number PA1 Output: x. PA1 Input: N,y, where y.tbd.X.sup.2 mod N, and N=pg, where p and q are large primes PA1 Output: x. PA1 Input: N, g, g.sup.x mod N, g.sup.y mod N, where N.tbd.pq and p and q are large primes. PA1 Output: g.sup.xy mod N. PA1 (1) a static (permanent) private key; PA1 (2) dynamic (changing) private key; PA1 (3) a static public key; and PA1 (4) a dynamic public key.
The Discrete-Log problem is defined as follows:
(The Discrete-Log problem can be similarly defined with a composite modulus N=pq).
Based on the Factorization and Discrete-Log problems, some other problems have been defined which correspond to the cracking problems of a cryptographic system.
One system of such a problem which has previously been exploited in cryptography (see, e.g., H. C. Williams, "A Modification of RSA Public-Key Encryption", IEEE Transactions on Information Theory, Vol. IT-26, No. Nov. 6, 1980) is the Modular Square Root problem, which is defined as follows:
Calculating square roots is easy if p and q are known but hard if p and q are not known. When N is composed of two primes, there are in general four square roots mod N. As used herein, z.tbd.x mod N is defined to mean that x is the smallest integer whereby z.sup.2.tbd.x mod N.
Another problem is known as the Composite Diffie-Hellman (CDH) problem, which is defined as follows:
It has been proven mathematically that the Modular Square Root and Composite Diffie-Heliman problems are equally difficult to solve as the above-mentioned factorization problem (see, e.g., M. O. Rabin, "Digitalized Signatures and Public Key Functions as Intractable as Factorization", MIT Laboratory for Computer Science, TR 212, January 1979; Z. Shmuely, "Composite Diffie-Hellman Public Key Generating Schemes Are Hard To Break", Computer Science Department of Technion, Israel, TR 356, February 1985; and K. S. McCurley, "A Key Distribution System Equivalent to Factoring", Journal of Cryptology, Vol. 1, No. 2, 1988, pp. 95-105).
In a typical public-key cryptographic system, each user I has a public key P.sub.i (e.g., a modulus N) and a secret key S.sub.i (e.g., the factors p and q). A message to user I is encrypted using a public operation which makes use of the public key known to everybody (e.g., squaring a number mod N). However, this message is decrypted using a secret operation (e.g., square root mod N) which makes use of the secret key (e.g., the factors p and q).
C. Network Security Devices
At present, existing network security products are categorized into two classes: (1) firewalls, such as Janus and ANS, and (2) software products, such as encrypted mail, secured http, one time password, etc.
A firewall is a dedicated computer, usually running a Unix operating system. It acts as a filter for incoming and outgoing communications. The firewall is placed as a router between the local area network (LAN) and the outside world. The decision whether to pass a packet is made based on the source and/or destination IP address, and the TCP port number. Some firewalls also have the ability to encrypt data, provided that both sides of the communication employ the same brand of firewall. Some firewalls have a personal authentication feature.
Software products are based on the premise that the computer on which they are installed are secure, and protection is only needed outside on the network. Thus, such software products can easily be bypassed by breaking into the computer. A typical scheme is when an intruder implants a "Trojan Horse" on a computer which sends him an unencrypted copy of every transaction. Sometimes, it is even done as a delayed action during the off-hours when the computer is not likely to be supervised.
In addition, there are authentication products designed to maintain the integrity of the computer against intrusion. These products are based on the premise that the products are 100% secure. Once the product is compromised, it becomes totally ineffective. Sometimes, careless use by one user may jeopardize all other users of the product.
Firewalls are more effective in maintaining network security. However they are very expensive. Their price range is between $10,000 and $50,000, plus the price of the hardware. They require a high level of expertise to install and maintain. The most sophisticated and effective firewalls require a specially trained technician or engineer for their maintenance. The special training cost is up to $10,000 per person, and the salary adds $60,000 to $120,000 or more per annum to the cost.
Firewalls have to be constantly maintained, modified, and monitored in order to yield reasonable security. They only cover the TCP part of the Internet Protocol and not the UDP part. Thus, they do not provide security to NFS (Network File Services) and many client/server applications.
The firewall is a full service computer which can be logged into for maintenance and monitoring. Thus, it can be broken into. Once a firewall is compromised it loses its effectiveness and becomes a liability rather than a security aid. Firewalls only protect the connection between a LAN and a WAN (Wide Area Network). It does not protect against intrusion into a particular host from within the LAN.
In view of the foregoing, it is an object of the present invention to provide a network security device which overcomes the shortcomings of the prior art network security devices.
It is another object of the present invention to provide a hardware device to provide network security for individual hosts attached to a network.
It is a further object of the present invention to provide a hardware device to provide network security for a local area network connected to a wide area network.